Hello. I am running a multisite with about 50 client sites on 4.1.1. It is running on a dedicated cloud server. Every few days i find a strange php file uploaded to the root of my wordpress install. The file is called EX-Same.php It will be owned by www-data and have 0644.
The site did not go down however to be safe, I moved the install to another cloud server with diff IP and a fresh wp install . Replaced the plugins and themes. Checked the database. Installed wordfence. Double checked dir permissions. changed all pwords etc etc..
After all that it happened again.
Have you guys seen this before? Would you have any suggestions on a security hole im missing? Though the sites havent gone down and no one has accessed the control panel this is making me lose sleep.
Please let me know if you have any suggestions.